update: dockerfile

Dockerfile

@@ -2,6 +2,7 @@ FROM python:3.12-slim
 
 WORKDIR /app
 
+# Install system dependencies
 RUN apt-get update && apt-get install -y \
     build-essential \
     curl \
@@ -10,20 +11,38 @@ RUN apt-get update && apt-get install -y \
     wget \
     && rm -rf /var/lib/apt/lists/*
 
+# Create a non-root user
+RUN groupadd --gid 1000 appuser && \
+    useradd --uid 1000 --gid 1000 --create-home --shell /bin/bash appuser
+
+# Set UV environment variables to use writable cache locations
+ENV UV_CACHE_DIR=/tmp/uv-cache
+ENV UV_TOOL_DIR=/tmp/uv-tools
+ENV UV_PYTHON_INSTALL_DIR=/tmp/uv-python
+
 # Install UV
-COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv
+RUN pip3 install uv
 
+# Create cache directories with proper permissions
+RUN mkdir -p /tmp/uv-cache /tmp/uv-tools /tmp/uv-python && \
+    chown -R appuser:appuser /tmp/uv-cache /tmp/uv-tools /tmp/uv-python
+
+# Copy requirements first for better Docker layer caching
 COPY requirements.txt ./
 
-# Use cache mount for UV cache and install dependencies
-RUN --mount=type=cache,target=/root/.cache/uv \
-    uv venv && \
-    uv pip install -r requirements.txt
+# Switch to non-root user
+USER appuser
+
+# Create virtual environment and install dependencies
+RUN uv venv /home/appuser/.venv
+RUN uv pip install -r requirements.txt
 
-COPY src/ ./src/
+# Copy application code
+COPY --chown=appuser:appuser src/ ./src/
 
 EXPOSE 8501
 
 HEALTHCHECK CMD curl --fail http://localhost:8501/_stcore/health
 
-ENTRYPOINT ["uv", "run", "streamlit", "run", "src/streamlit_app.py", "--server.port=8501", "--server.address=0.0.0.0"]
+# Use the virtual environment directly
+ENTRYPOINT ["/home/appuser/.venv/bin/python", "-m", "streamlit", "run", "src/streamlit_app.py", "--server.port=8501", "--server.address=0.0.0.0"]